Beyond good ol’ Run key, Part 147

Posted on by

I mentioned TestHook at least twice in the past. I actually love this keyword/string, because it is associated with many undocumented internal Microsoft test frameworks that we can sometimes abuse. And many ‘TestHook’ string references are present in many binaries belonging to both Server an Desktop versions of Windows, hence a lot of research opportunities await…

And here’s one of them:

Adding an entry below:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TestHooks\TestAggregatorDll=<malware>

will result in the DLL of our choice being loaded when the system starts.

VMwareResolutionSet.exe VMwareResolutionSet.dll lolbin

Posted on by

If you still use VMWare, your Windows guest system will benefit from an installation of VMWare Tools.

The VMWare Tools package is usually installed into this directory:

c:\Program Files\VMware\VMware Tools

It turns out that running the executable:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe

leads to it trying to lead a phantom DLL:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.dll

So, as usual, creating your own payload DLL and placing it in that location can help us to load it via proxy.